Risk Management and Compliance – Finally Coming Together?

My thanks go to Rafal Los for inviting me to guest on his fantastic blog Follow The White Rabbit on 30th June! I always look forward to reading new posts on FTWR, so actually being on it was a great honour! I work for an acquiring bank, and whilst I am particularly interested in the security of card payments, infosec is the same everywhere. Everyone has to "do" compliance in one way or another, and we all live in a very challenging socio-economic environment... I note with pleasure that the debate is starting to move towards risk management, so here's my take on it. I hope you find my ramblings of use...

The hackers’ best friends...

No one has been able to escape the news and numerous commentaries on the recent high profile breaches.

Evidently, hackers are no longer lonely teenagers in their back room trying to impress their friends: today’s cybercrime industry has evolved and automated itself to improve efficiency, scalability, and profitability with a clear intent on obtaining information that can be monetised.

With the Internet as their superhighway, they have no boundaries. Perversely, the hackers’ best friends are those very same businesses with their inadequate and often outdated information security practices, as well as those very individuals whose identities end up being stolen - particularly when they don't keep their antivirus and firewalls up to date and don't check the privacy settings on the many social networking sites they frequent, or fall prey to phishing attacks!

Speaking at the Worldwide Cybersecurity Summit on 1st June 2011, Sir Michael Rake, chairman of the BT group, expressed the view that awareness of cybercrime and the necessity of protecting corporate and personal data are not as highly prioritized at board level as they should be.

In parallel, governments around the world are looking to strengthen oversight and enforcement, and business leaders are now focusing on enterprise risk management as a strategic business driver.

Compliance in silos

Governance and Risk Management are familiar topics in the Board Room. It is therefore surprising that companies always feel under pressure to meet compliance deadlines of one type or another and often panic to implement solutions they believe will address the most visible, urgent or potentially costly to ignore regulation looming on the horizon, without even putting this into the context of the existing enterprise risk management framework.

Many businesses are now on their second or third cycle of trying to automate processes related to compliance with specific policies, industry standards, and government regulations. With requirements evolving, companies find themselves with discrete solutions for PCI DSS, Data Protection, FSA, SOX and others. Although these businesses have achieved some successes with their initial projects, much of the success has been short lived, and costly.

Suppliers of such solutions are often guilty of perpetrating this vicious circle by describing their offering as the next “silver bullet” and such solutions became expensive to maintain and impossible to integrate or scale.

More specifically, investments in information security get more and more difficult to secure as sustainability cannot be demonstrated to the Board. And then you get the next high profile data breach.

It’s war, Jim, but not as we know it

In our increasingly globalized world economy, competition is intense and threats have a worldwide impact. Good corporate governance can make a difference to how companies are viewed.

Compliance is about providing evidence that controls are in place and is a tactical exercise to ensure business continuity. However, it is not inherently risk aware, nor is it economically sensitive. Too much emphasis on compliance can actually increase risk by giving people a false sense of security.

Risk Management can be defined as the identification, assessment and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events. By connecting control – and therefore compliance - to risk, businesses can achieve major improvements in their enterprise risk management initiative.

In order to fight cybercrime, organizations therefore have to find a way of connecting risk management – already understood in the board room – with information security controls in order to improve their security posture according to their risk appetite.

Many will have realized that the recent high profile attacks were by no means sophisticated. On a wider basis, only 4% of breaches assessed in the Verizon Business Data Breach Investigation Report 2011(DBIR 2011) required difficult and expensive protective measures.

Indeed, I find it sad that in 2011 we are still vulnerable to SQL injections, lack of password management and less than adequate management of logs, to name but a few. Unfortunately, businesses and consumers tend to get complacent when a data breach doesn't directly impact them.

The well quoted Verizon DBIR 2011 highlighted that malware - software or code developed or used for the purpose of compromising or harming information assets without the owner’s informed consent - represented 80% of all data lost in 2010, and within that case load, 81% was performed via SQL injections.

We wished them a happy 10th birthday last year, so SQL injection attacks are not new territory and prevention is well understood.

Similarly, hacking - attempts to intentionally access or harm information assets without (or in excess of) authorization by thwarting logical security mechanisms - represented 89% of records stolen and 76% of these were due to lax password management and authentication procedures.

Imagine what could be achieved if everyone closed down these two basic vulnerabilities? The Verizon DBIR 2011 further claimed that 87% of attacks could be prevented using simple, proactive measures.

One step at a time

There is much to learn from companies that have already started to implement comprehensive risk management strategies. One such lesson is that substantial benefits can be derived from threat or scenario modeling.

Answering a few questions and acting to reduce risk will simplify an organization’s ability to protect itself and may even save the cost of doing so. As an example, the following questions relate to information that has been classified as critical:

Are my employees taking information outside of the organization? How can they do this?

Can I limit access to this information to only those who need it?

What types of attackers would be interested in infiltrating my systems? What would they seek? Why?

If any web server was compromised, how difficult would it be for an attacker to work its way to those systems containing information? How easy would it be to take this information out?

How quickly would I know this has happened? How quickly can I stop it?

How quickly do I need to respond to the market?

Unfortunately, threat/ scenario modeling is only practiced by a few organizations and I hope that it will become more common in months and years to come.

In addition, businesses will also find that their highest risk areas will most probably already be subject to existing rules and regulations. Invariably, compliance will become a by-product of risk management.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.